SSL in a nutshell

This blog is a refresher of the SSL protocol; next time I will demonstrate how SSL can be hacked by using OSS.

SSL was designed to make use of TCP in order to provide reliable end-to end secure service over the Internet. Hence, it provides security for HTTP protocol, authentication of server to client, and security services to ensure confidentiality and integrity.

SSLv2 developed by Netscape® in 1995. A few years later, PCT was (Private Communications Technology) developed by Microsoft®. Then, Netscape® overhauled SSLv2 and introduced SSLv3 which is still the most commonly deployed protocol.  IETF developed its on protocol – TLS.

During the SSL 4-way-handshake the client and server negotiate on a cipher suite and cooperatively establish session keys for secure communication.

Message 1: CLIENT
  1. Client initiates contact with server
  2. Generates random # Rc (32-bit time stamp and 28 bytes generated)
  3. Sends supported cipher suite
  4. Creates Session ID

Message 2: SERVER

  1. Server sends PKI certificate
  2. Server generates Random # Rs
  3. Picks cipher (lower of suggested version and highest supported by server)

Message 3: CLIENT

  1. Generates Pre-Master Key S (Random # S)
  2. Generates Master-Key K which is derived from Rc, Rs, and S (symmetric encryption)
  3. Verifies certificate and extract public key from certificate
  4. Encrypts Pre-Master Key S with extracted public key and sends to the server
  5. Hash Master-Key K and previous handshake messages (ensure tampering of handshake messages would be detected)

Message 4: SERVER

  1. Server proves he knows session keys by sending keyed hash of  all handshake messages, encrypted with symmetric write-encryption key, and integrity-protected with  write-integrity key
  2. Since session keys are derived from S the server knows server private key, because it was needed to extract Pre-Master Key S
Ultimately, three key pairs for encryption, integrity and IV are generated in each direction.
About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s